On Mon, 21 Apr 2014, D. Hugh Redelmeier wrote:
Consider virtual_private=%v4:!10.0.0.0/8,%v4:10.0.0.0/24 No addresses are private in this case. I imagine that that surprises you.Consider virtual_private=%v4:10.0.0.0/8,%v4:!10.0.0.0/16,%v4:10.0.0.0/24 In this one, the /24 will not have an effect.
I see. Those cases are unexpected (thoug understandable)
| If multiple includes overlap, why would we care as long as we match it? | If multiple excludes overlap, why would we care as long as we match it? any matching exclude (no matter how broad) trumps any include (no matter how narrow).
So it is failing on the side of caution. I do think that longest prefix first match, regardless of include or exclude, would be more intuitive and the right thing to do.
Note: I don't see a disaster here, only an awkwardness and a surprise. My guess is that most virtual-private specifications are simple and don't hit this lack of expressive power.
Yes, but bigger deploymentments could definitely hit this, especially after some organic (unmanaged) growth or acquisitions. Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
